Bug 1007469
Summary: | When in IPA server mode, SSSD should map trusted forest subdomains to root domain realm | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> |
Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Kaushik Banerjee <kbanerje> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | grajaiya, jgalipea, lslebodn, mkosek, nsoman, pbrezina, sbose, sgoveas |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sssd-1.11.1-1.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 11:19:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dmitri Pal
2013-09-12 14:37:04 UTC
Sumit is actively working on this bug. master ce29aa8998332fd3c2e4e4b81e7302d41c461893 bbd43fbcd8f70eedeac4e4ce01c36256cde82ab1 c5711b0279ea85d69fe3c77dfb194360c346e1d7 sssd-1-11: 2ad333640cdd48e64ffb3183dcdede747285dcd1 0ee14e804e5a6ef6c0fbcc006c376d7cd51a960f a091e5b7831ea84c739493dc20a84ad834f6df7e Temporarily moving bugs to MODIFIED to work around errata tool bug To verify this ticket you should check the SSSD-generated krb5.conf include file /var/lib/sss/pubconf/krb5.include.d/domain_realm_IPA_REALM on a FreeIPA host with trust to an AD forest with more than one domain. In this file all domain-REALM pairs of the AD forest should be listed in the [domain_realm] section and in the [capaths] section should see entries like FOREST.MEMBER = { IPA.REALM = FOREST.ROOT IPA.REALM = { FOREST.MEMBER = FOREST.ROOT } for every domain in the forest except the forest root. [root@dhcp207-218 ~]# echo Secret123 | ipa trust-add adtest.qe --type ad --admin administrator --password -------------------------------------------------- Added Active Directory trust for realm "adtest.qe" -------------------------------------------------- Realm name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified [root@dhcp207-218 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_newdom_qe [domain_realm] [root@dhcp207-218 ~]# ipa trustdomain-find adtest.qe Domain name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 Domain enabled: True Domain name: pune.adtest.qe Domain NetBIOS name: PUNE Domain Security Identifier: S-1-5-21-91314187-2404433721-1858927112 Domain enabled: True ---------------------------- Number of entries returned 2 ---------------------------- [root@dhcp207-218 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_newdom_qe [domain_realm] [root@dhcp207-218 ~]# getent passwd testu1.qe testu1.qe:*:839001108:839001108:testu1 user:/home/pune.adtest.qe/testu1: * File contents get added as expected after a while or when a lookup is done for a user in trusted domain [root@dhcp207-218 ~]# cat /var/lib/sss/pubconf/krb5.include.d/domain_realm_newdom_qe [domain_realm] .adtest.qe = ADTEST.QE adtest.qe = ADTEST.QE .pune.adtest.qe = PUNE.ADTEST.QE pune.adtest.qe = PUNE.ADTEST.QE [capaths] PUNE.ADTEST.QE = { NEWDOM.QE = ADTEST.QE } NEWDOM.QE = { PUNE.ADTEST.QE = ADTEST.QE } This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |